Old MS Alerts

[AplusWebMaster]

FYI...

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/961051.mspx
December 17, 2008 - "Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS08-078* to address this issue. For more information about this issue, including download links for an available security update, please review MS08-078. The vulnerability addressed is the Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844**..."

** http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4844

> http://support.microsoft.com/?kbid=960714
Last Review: December 18, 2008 - Revision: 2.0

Microsoft Security Bulletin MS08-078 - Internet Explorer
Security Update for Internet Explorer (960714)
* http://www.microsoft.com/technet/sec.../ms08-078.mspx
December 17, 2008
Severity Rating: Critical
Affected Software: Microsoft Windows, Internet Explorer...
Vulnerability Impact: Remote Code Execution...
(May require restart)

[AplusWebMaster]

FYI...

Microsoft Security Advisory (961040)
Vulnerability in SQL Server Could Allow Remote Code Execution
- http://www.microsoft.com/technet/sec...ry/961040.mspx
December 22, 2008 - "Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue. Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds* listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time. In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary...
* Workarounds...
Deny permissions on the sp_replwritetovarbin extended stored procedure..."

- http://support.microsoft.com/kb/961040
December 23, 2008

- http://isc.sans.org/diary.html?storyid=5545
Last Updated: 2008-12-23 14:13:19 UTC
___

- http://www.microsoft.com/technet/sec...ry/961040.mspx
Updated: February 10, 2009 - "...We have issued MS09-004* to address this issue... The vulnerability addressed is the SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-5416 ..."

* http://www.microsoft.com/technet/sec.../ms09-004.mspx

[AplusWebMaster]

FYI...

Microsoft Security Advisory (961509)
Research proves feasibility of collision attacks against MD5
- http://www.microsoft.com/technet/sec...ry/961509.mspx
December 30, 2008 - "Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated. This new disclosure does not increase risk to customers significantly, as the researchers have not published the cryptographic background to the attack, and the attack is not repeatable without this information. Microsoft is not aware of any active attacks using this issue and is actively working with certificate authorities to ensure they are aware of this new research and is encouraging them to migrate to the newer SHA-1 signing algorithm. While this issue is not a vulnerability in a Microsoft product, Microsoft is actively monitoring the situation and has worked with affected Certificate Authorities to keep customers informed and to provide customer guidance as necessary...
Mitigating Factors...
• Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.
• When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research...
Suggested Actions...
• Do not sign digital certificates with MD5
Certificate Authorities should no longer sign newly generated certificates using the MD5 algorithm, as it is known to be prone to collision attacks. Several alternative and more secure technologies are available, including SHA-1, SHA-256, SHA-384 or SHA-512.
Impact of action: Older hardware-based solutions may require upgrading to support these newer technologies...

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=5596
Last Updated: 2008-12-31 14:26:41 UTC - "Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067*. It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a built-in dictionary. At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible. After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself. You can find examples of the domain names in the Symantec W32.Downadup.B writeup**..."

Vulnerability in Server Service Could Allow Remote Code Execution (958644)
* http://www.microsoft.com/technet/sec.../ms08-067.mspx

** http://www.symantec.com/business/sec...826-99&tabid=2

> http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4250

- http://secunia.com/advisories/32326
Last Update: 2008-10-24
Critical: Highly critical...

MS08-067 out-of-band netapi32.dll security update
- http://blogs.technet.com/swi/archive...-MS08-067.aspx

- http://support.microsoft.com/?kbid=958644

- http://www.us-cert.gov/cas/techalerts/TA08-297A.html

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/7jxs8z
01-06-2009 (Symantec blogs) - "... the most commonly infected systems appear to be Windows XP SP1 and earlier. Over 500,000 of the infected computers that contacted our server were running these operating system versions. Close behind was Windows XP SP2 and later systems. Windows 2000 and Windows 2003 had smaller shares. We believe that the W32.Downadup.A propagation routine has been very aggressive. It will continue to infect computers in the near future and receive updates via the aforementioned mechanism. Symantec discovered a new variant of this worm on December 30, 2008, dubbed W32.Downadup.B. This updated version contains additional propagation routines and what appears to be an altered domain generation routine. It’s not currently known if this new version was seeded to W32.Downadup.A infections or has independently spread through its own propagation routines.
We strongly encourage all users to ensure that the patches available in MS08-067 have been applied and that antivirus products are fully up-to-date to ensure that this threat does not find its way onto computers."
(Charts available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.f-secure.com/weblog/archives/00001574.html
January 6, 2009 - "Over the last (few) days, we've received reports of corporate networks getting infected with variants of MS08-067 worms. These are mostly Downadup/Conficker variants. The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked. We have detailed information about the malware functionality in our Downadup.AL description*. We also have a separate tool available to assist in disinfecting. The tool is available from here**. We also recommend system administrators block access to web sites used by the worm..." (Long list available at the URL above.)

* http://www.f-secure.com/v-descs/worm...nadup_al.shtml

** ftp://ftp.f-secure.com/anti-virus/to...f-downadup.zip

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4250
Last revised: 11/21/2008
CVSS v2 Base Score: 10.0 (HIGH)

[AplusWebMaster]

FYI...

- http://www.microsoft.com/technet/sec.../ms09-jan.mspx
January 8, 2009 - "This is an advance notification of (a) security bulletin that Microsoft is intending to release on January 13, 2009... (1)

Windows Bulletin
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software:
Microsoft Windows 2000 SP4, XPSP2, XPSP3, Server 2003 - Critical
Vista SP1, Server 2008 - Moderate

.

[AplusWebMaster]

FYI...

Downadup Blocklist
- http://www.f-secure.com/weblog/archives/00001577.html
January 9, 2009 - "Our post on Tuesday included a list of domains used by the Downadup worm. Today's list includes 1,500 additional sites used by the worm*."
* http://www.f-secure.com/weblog/archi..._blocklist.txt

[AplusWebMaster]

More...

New variants of W32.Downadup.B find new ways to propagate
- http://preview.tinyurl.com/ay432s
01-09-2009 Symantec Security Response Blog - "Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067) as soon as possible. A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords... W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly... Click here** to obtain more information about how to prevent a threat from spreading using the "AutoRun" feature... more detail on the evolution and infection statistics of this threat, check out the earlier Security Response blog posting*..."
W32.Downadup Infection Statistics
* http://preview.tinyurl.com/7jxs8z
01-06-2009 - "...graph shows the statistics, over a 72-hour period, of unique IP addresses versus unique IP address and user-agent pairs..."

** http://service1.symantec.com/SUPPORT...08032111570648

[AplusWebMaster]

FYI...

Preemptive Downadup Domain Blocklist, Jan. 13-16
- http://www.f-secure.com/weblog/archives/00001578.html
January 12, 2009 - "Downadup variants use algorithmically determined URLs to report back to the bad guys. Reverse engineering the worm's code provides us with the method to predict which domains may be used in the future. Today's preemptive blocklist* includes an additional 1,000 URLs that WILL BE used by the Downadup from the 13th to the 16th. Network administrators can use this list as a preventive measure."
* http://www.f-secure.com/weblog/archi...list_13_16.txt

- http://isc.sans.org/diary.html?storyid=5671
Last Updated: 2009-01-12 22:43:54 UTC

- http://www.fortiguardcenter.com/repo...Conficker.html
(MS08-067 exploit activity from October 2008 to January 2009...) graphic